Accepting request 880134 from devel:languages:python

- Add 166-add-xfail-test_add_or_replace_parameter_fail.patch,
  which makes tests working with CVE-2021-23336 (bsc#1181270).

OBS-URL: https://build.opensuse.org/request/show/880134
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-w3lib?expand=0&rev=7

166-add-xfail-test_add_or_replace_parameter_fail.patch

@@ -0,0 +1,80 @@
+From 34c62eb265cdb75b748d8aca43a2f8b9581dbd6a Mon Sep 17 00:00:00 2001
+From: Eugenio Lacuesta <eugenio.lacuesta@gmail.com>
+Date: Wed, 10 Mar 2021 12:20:24 -0300
+Subject: [PATCH 1/8] [CI] Run tests on GitHub actions
+
+---
+ tests/test_url.py |   24 ++++++++++++++----------
+ 1 file changed, 14 insertions(+), 10 deletions(-)
+ delete mode 100644 .github/workflows/build.yml
+ create mode 100644 .github/workflows/tests.yml
+
+--- a/tests/test_url.py
++++ b/tests/test_url.py
+@@ -2,11 +2,14 @@
+ from __future__ import absolute_import
+ import os
+ import unittest
++
++import pytest
++from six.moves.urllib.parse import urlparse
++
+ from w3lib.url import (is_url, safe_url_string, safe_download_url,
+     url_query_parameter, add_or_replace_parameter, url_query_cleaner,
+     file_uri_to_path, parse_data_uri, path_to_file_uri, any_to_uri,
+     urljoin_rfc, canonicalize_url, parse_url, add_or_replace_parameters)
+-from six.moves.urllib.parse import urlparse
+ 
+ 
+ class UrlTests(unittest.TestCase):
+@@ -76,17 +79,16 @@ class UrlTests(unittest.TestCase):
+     def test_safe_url_string_unsafe_chars(self):
+         safeurl = safe_url_string(r"http://localhost:8001/unwise{,},|,\,^,[,],`?|=[]&[]=|")
+         self.assertEqual(safeurl, r"http://localhost:8001/unwise%7B,%7D,|,%5C,%5E,[,],%60?|=[]&[]=|")
+-        
++
+     def test_safe_url_string_quote_path(self):
+         safeurl = safe_url_string(u'http://google.com/"hello"', quote_path=True)
+         self.assertEqual(safeurl, u'http://google.com/%22hello%22')
+-        
++
+         safeurl = safe_url_string(u'http://google.com/"hello"', quote_path=False)
+         self.assertEqual(safeurl, u'http://google.com/"hello"')
+-        
++
+         safeurl = safe_url_string(u'http://google.com/"hello"')
+         self.assertEqual(safeurl, u'http://google.com/%22hello%22')
+-        
+ 
+     def test_safe_url_string_with_query(self):
+         safeurl = safe_url_string(u"http://www.example.com/£?unit=µ")
+@@ -299,10 +301,6 @@ class UrlTests(unittest.TestCase):
+         self.assertEqual(add_or_replace_parameter(url, 'arg3', 'nv3'),
+                          'http://domain/test?arg1=v1&arg2=v2&arg3=nv3')
+ 
+-        url = 'http://domain/test?arg1=v1;arg2=v2'
+-        self.assertEqual(add_or_replace_parameter(url, 'arg1', 'v3'),
+-                         'http://domain/test?arg1=v3&arg2=v2')
+-
+         self.assertEqual(add_or_replace_parameter("http://domain/moreInfo.asp?prodID=", 'prodID', '20'),
+                          'http://domain/moreInfo.asp?prodID=20')
+         url = 'http://rmc-offers.co.uk/productlist.asp?BCat=2%2C60&CatID=60'
+@@ -327,6 +325,13 @@ class UrlTests(unittest.TestCase):
+         self.assertEqual(add_or_replace_parameter(url, 'arg1', 'v3'),
+                          'http://domain/test?arg1=v3&arg2=v2')
+ 
++    @pytest.mark.xfail(reason="https://github.com/scrapy/w3lib/issues/164")
++    def test_add_or_replace_parameter_fail(self):
++        self.assertEqual(
++            add_or_replace_parameter('http://domain/test?arg1=v1;arg2=v2', 'arg1', 'v3'),
++            'http://domain/test?arg1=v3&arg2=v2'
++        )
++
+     def test_add_or_replace_parameters(self):
+         url = 'http://domain/test'
+         self.assertEqual(add_or_replace_parameters(url, {'arg': 'v'}),
+@@ -741,4 +746,3 @@ class DataURITests(unittest.TestCase):
+ 
+ if __name__ == "__main__":
+     unittest.main()
+-

python-w3lib.changes

@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Fri Mar 19 14:28:28 UTC 2021 - Matej Cepl <mcepl@suse.com>
+
+- Add 166-add-xfail-test_add_or_replace_parameter_fail.patch,
+  which makes tests working with CVE-2021-23336 (bsc#1181270).
+
 -------------------------------------------------------------------
 Wed Jul 22 11:05:23 UTC 2020 - Marketa Calabkova <mcalabkova@suse.com>
 

python-w3lib.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package python-w3lib
 #
-# Copyright (c) 2020 SUSE LLC
+# Copyright (c) 2021 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -25,6 +25,10 @@ License:        BSD-3-Clause
 Group:          Development/Languages/Python
 URL:            https://github.com/scrapy/w3lib
 Source:         https://files.pythonhosted.org/packages/source/w/w3lib/w3lib-%{version}.tar.gz
+# PATCH-FIX-UPSTREAM 166-add-xfail-test_add_or_replace_parameter_fail.patch mcepl@suse.com
+# Allow working with Python fixed CVE-2021-23336
+Patch0:         166-add-xfail-test_add_or_replace_parameter_fail.patch
+BuildRequires:  %{python_module pytest}
 BuildRequires:  %{python_module setuptools}
 BuildRequires:  %{python_module six >= 1.4.1}
 BuildRequires:  fdupes
@@ -56,7 +60,7 @@ This is a Python library of web-related functions, such as:
 * extract arguments from urls
 
 %prep
-%setup -q -n w3lib-%{version}
+%autosetup -p1 -n w3lib-%{version}
 
 %build
 %python_build
@@ -66,7 +70,7 @@ This is a Python library of web-related functions, such as:
 %python_expand %fdupes %{buildroot}%{$python_sitelib}
 
 %check
-%python_exec setup.py test
+%pytest
 
 %files %{python_files}
 %doc README.rst